How I was able to bypass the admin portal by using the default credentials in BBC Corporation.
Hello everyone, today I will be talking about one of the critical bug which I found on the BBC website which is bypassing the admin portal using the default credentials. Now, let’s start with the recon process
Step 1 :
1)There are multiple tools by which you can get subdomains, a few of them are given below…
i) Findomain
ii) Subfinder
iii) knock.py
2) To get the live host from the subdomain list, we can use tools such as
i)httprobe
ii) httpx
Now I prefer to use findomain for getting my results quickly. So the command would look something like this….
Command : findomain -t bbc.com | httpx | tee bbc.txt
You can use multiple tools to find subdomains and then save them in a single file…..
Step 2 :
Now we have all of the subdomains from all of the three tools, so we can use the tool called “Naabu”. This tool will scan all of the ports which might be open for the subdomains which are saved in the file.
To test a file with this tool you can use the command which is….
Command : naabu -iL bbc.txt | tee bbcportscan.txt
Step 3:
After scanning all of the subdomains I found 1 website that was open for port 8080.
The website was not opening directly so I changed the DNS to IP to verify whether it might be working or not. But actually, it worked.
Step 4 :
When I opened the website it looked something like this
Step 5:
Now this part was very easy because I thought by using admin : admin or root : password or administrator : password might work for the default but, I was wrong. Then I tried for the username and password that was “admin : password” and it worked.
I was actually shocked to see that the admin page was still working on the default credentials and I was able to have full access to the admin panel.
After reporting this issue to the BBC Security Team, I’m honored on their Hall of Fame page and will be presented with a limited edition bug-finder BBC T-Shirt.
They removed the whole website and blocked all of the access to the admin panel….
Timeline
- Reported: June 10
- Mitigated: June 13
- Acknowledged in the hall of fame: June 14
I have reported one more FTP Server which has login default credentials “anonymous” … soo 1 more bug on my way to get me the cool swag:)
Take Away
Always try to use the default credentials on every page if you feel that can compromise the whole system.
Stay tuned for more writeups.
Thanks for reading this. Comments and feedback are welcome.
